Detecting a ransomware attack before the demand

The lifecycle of ransomware includes six phases:
the attack, embedding and persistence, scanning, encryption, and the ransom itself. Implementing 360° visibility into your network traffic increases your chances of catching ransomware early in the kill chain. Applying behavioral analytics to look for anomalies in your network allows you to detect, prevent, and mitigate the attack.
How to catch a ransomware attack early
Orchestrating response to a ransomware attack
Recovery after a ransomware attack
Ransomware attack media coverage
Ransomware attack technical resources

How to catch a ransomware attack early with IronNet

Ransomware attack vectors, which network detection and response tools such as IronDefense can identify, typically include:
IronNet-Ransomware-Social Engineering Envelope
social engineering:
“legitimate” user credentials:
from services such as remote desktop protocols and remote file sharing
IronNet-Ransomware-Exploitation Arrow
for example via publicly known, but unpatched, software vulnerabilities 
IronNet-Ransomware-Command and Control Globe
command and control:
domain generation
IronNet-Ransomware-Encryption Cloud
files are encrypted after backup files are removed

IronNet’s behavioral analytics are designed to detect these behavior indicators in advance of the ransom. Slide the image below to see how IronNet analytics detect ransomware attack behaviors before the ransom stage.

IronNet-Ransomware-Arrow Down
IronNet Ransomware Landing Page – With IronNet@2x IronNet Ransomware Landing Page – Without IronNet@2x
In the above illustration, based on the TTPs observed in this example attack, IronNet’s behavioral analytics can detect several connections to primary backup repositories using compromised service accounts shortly before encryption. By spotting anomalies early in the ransomware lifecycle, during the intrusion vectors and network dwell time, behavioral analytics can sound alerts to halt this type of progression.

Orchestrating response to a ransomware attack,
from IronDefense to your EDR

Once IronDefense has detected behavior indicators relating to ransomware, your security team can quickly turn that alert into a security rule and push that to your Endpoint Security tool to avoid execution.

IronNet and CrowdStrike integrate out-of-the-box to give organizations new levels of visibility and response for better cyber defense.


IronNet and CrowdStrike Solution Sheet

A datasheet on how IronNet's Network Detection and Response solution integrates with CrowdStrike platform.

Recovering after a ransomware attack
with IronNet’s Professional Services

If a Ransomware attack has gone undetected in your network, you need experts to help you in your recovery.

IronNet DNA

IronNet Professional Services comprises senior cybersecurity specialists from both the public and private sectors, standing out as leaders, architects, and operators.
IronNet-Service Overview-Light Bulb Elite Expertise Icon@2x
Our Professional Services clients leverage the expertise of former elite cyber offensive and defensive operators from the US Government (Department of Defense, National Security Agency, federal agencies, USCYBERCOM), and commercial private expertise running security operations in Fortune 200 companies.
IronNet-Service Overview-Atom Collective Experience Icon@2x
IronNet’s ability to bring together this significant public and private sector experience ensures that our clients can mature and operate highly secure enterprise networks to stay ahead of cyber threats in a fast-changing threat environment.

Ransomware attack media coverage and analysis

IronNet-Ransomware Attack-Catching Ransomware Thumbnail
White paper

Ransomware attacks are always enabled by network connectivity to some degree: delivery, lateral movement/ spreading, command-and-control (C2), etc. Early detection of the initial network intrusion, therefore, is crucial, before the adversary has the chance to advance the ransomware campaign.

In other words, ransomware is the very last step an attacker takes after fully compromising a network to monetize their efforts.

Discover how to catch ransomware campaigns early with NDR.

Ransomware attack technical resources

IronNet-Ransomware-Detecting Ransomware Thumbnail

Detecting ransomware: three research-based recommendations

IronNet Threat Research team analyzes North-South, East-West, and endpoint detection opportunities
IronNet-Ransomware-Navigating Maze Ransomware

Navigating Maze ransomware

Unravel the TTPs of this high-profile ransomware — and how IronNet’s behavioral analytics can detect it, by Sachin Deodhar

On-demand demo

Discover the power of IronDefense, the industry’s most advanced network detection and response (NDR) solution to detect behavior indicators using analytics. Walk through a use case to learn more about product features and the Collective Defense approach. Start your on-demand demo now.